I'm working on a big project's registration system.
After successful signup, the server generates some activation key, adds it to user's row and sends it to user by email. Using some password generator class for this purpose.
The question is (I know that it sounds abstract but I just wonder), how to avoid duplicate pass generation? I mean, is there any chance that in future generator can create the activation key that already exists in db table? Should I check for duplication after key generation?
I would recommend using the Text_Password package from PEAR. Don't try to reinvent this wheel.
Don't force passwords to be strictly unique. It's actually less secure to have that enforcement. Consider that if I try to set my password to xyzzy and the site tells me I can't, that means now I know some account is using xyzzy as a password. I just have to try that password on all accounts until I find which one.
Don't use a hash digest as a generated password. Your users don't want to type in a hex string of 32 character (or longer). I have had the experience of coding a secure software activation key package in 2001, using PKI and MD5 hashes. But no one would use it because the keys were too long.
Do use a hash digest and salt to store passwords. Read this article by our fearless leader: You're Probably Storing Passwords Incorrectly.
See also my answers to a few other password-related questions:
- How to generate random password, or temporary URL, for resetting password in Zend Framework?
- PHP & MySQL compare password
- What data type to use for hashed password field and what length?
- How large should my password salt be?
Using a hash algorithm like SHA or Whirlpool with a unique input (like the users' unique username) will result in a hash that has an expected collision rate of 0.
I wouldn't roll my own algorithm for this.
md5(), as mentioned, are guaranteed solutions.
You could use the time, but it won't be "random" you'd have to add some randomness to it...
$key = md5(time());
Use GUID as your registration key, as it is always unique and generated by system